Path 2

Path 2

Phish Bait

November 11, 2003

Q: My “credit card company”—the quotes are intentional—just sent me an e-mail alert, saying there’s been some unauthorized activity on my account. They’re asking for my card number, so they can verify my identity and cancel the charges. Sounds fishy, right? Is this the real deal, or what?

Repeat after Mr. Roboto: “I, [insert name here], will never, ever, ever transmit my credit card information via e-mail.” The only time you should enter your magic digits is on a secure Web form, and even then you should be vigilant. Kudos, though, for sniffing out one of the hottest scams going nowadays, spoof e-mails that try and tease out your vital financial info. Once you’ve got your guard up, they’re easy to spot, and they can even afford you the chance to sharpen your Internet sleuthing skills.

The Federal Trade Commission refers to this latest e-mail racket as “phishing.” As you noted, it all starts with an alarming e-mail, reputedly from a well-known online enterprise; lots are designed to look like epistles from banks, AOL, or the payment service PayPal. They say something’s wrong with your account and ask for your particulars. For example, a Pennsylvania-based scammer just pled guilty to sending out fake AOL e-mails, which included a link to a phony “AOL billing center.” A couple hundred gullible folks actually entered their credit card numbers. (The lady and her accomplice got rousted when they hit the spammer’s whammy—one of their phishy e-mails ended up in the inbox of an FBI agent.)

So, how do you avoid getting taken? Start by realizing that financial institutions and ISPs usually have policies of never asking for sensitive information over e-mail—and if they don’t, well, perhaps you’d better take your business elsewhere, ja? If you’re really concerned, call the inquisitor’s toll-free number. What, the e-mail doesn’t list one? That’s a tip-off right there, and it leads to one of Mr. Roboto’s most hallowed Laws of Online Security: Never do business with someone who doesn’t provide off-line contact info, preferably of the 1-800 variety.

The more sophisticated phishing bait will feature a clickable link, like the one that guided dupes to the ostensible AOL billing center. Of course, you should always be wary of clicking on e-mail hyperlinks, as they can sometimes conceal worms and other online contagions. Instead, highlight the link and paste it into your browser.

Be aware, though, that it’s pretty easy to make a Web con appear realistic, especially to the untrained eye. Be alert to the lack of a padlock icon at the bottom of the page, which means the form isn’t secured. Hucksters try to blind you to this by oversizing the window, thus obscuring the bottom bar; play around with the window size to get the real skinny. However, this past summer some real sharpies managed to fake the security lock on a shyster PayPal site. This advanced deception can be sussed out by double-clicking on the padlock; the details reveal the true location of the page, probably on some shady ISP you’ve never heard of.

You can also play Encyclopedia Brown by checking out the e-mail source code. Outlook users can do this by right clicking on the message body and selecting “View Source.” Hunt around for the URLs mentioned in the resulting notepad file; you’re likely to find that lots of ’em don’t trace back to the supposed sender.

Also worth a visit is Hoaxbusters (hoaxbusters.ciac.org), a government site that lists all the newest scams. If you’d like to be part of the proverbial solution, forward your scam spam to the relevant company—for example, phishy PayPal come-ons can be sent to spoof@paypal.com. No guarantee the no-goodniks will be nabbed, as lots of them tend to reside abroad, but it’s worth a shot. While you’re at it, cc the FTC at uce@ftc.gov. Get Uncle Sam all riled up.

Mr. Roboto may be made of titanium, but he’s still got feelings of the tingly, climbing-the-rope-at-gym-class variety, dig? So he’s super-excited about the debut of Fleshbot (fleshbot.com), a porn blog from the geniuses behind Gawker and Gizmodo. Not safe for work, but otherwise the perfect way to conceal your animal urges beneath a veneer of geek intellectualism.